Support selectors

Author: n1v0lg

server/src/main/java/org/elasticsearch/TransportVersions.java

@@ -180,6 +180,7 @@ static TransportVersion def(int id) {
     public static final TransportVersion REMOVE_DESIRED_NODE_VERSION = def(9_004_0_00);
     public static final TransportVersion ESQL_DRIVER_TASK_DESCRIPTION = def(9_005_0_00);
     public static final TransportVersion ESQL_RETRY_ON_SHARD_LEVEL_FAILURE = def(9_006_0_00);
+    public static final TransportVersion ROLE_SELECTORS_FIELD = def(9_007_0_00);
 
     /*
      * STOP! READ THIS FIRST! No, really,

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/RoleDescriptor.java

@@ -51,8 +51,6 @@
 import java.util.Locale;
 import java.util.Map;
 import java.util.Objects;
-import java.util.Set;
-import java.util.stream.Collectors;
 
 import static org.elasticsearch.common.xcontent.XContentHelper.createParserNotCompressed;
 import static org.elasticsearch.xpack.core.security.authz.permission.RemoteClusterPermissions.ROLE_REMOTE_CLUSTER_PRIVS;
@@ -925,6 +923,7 @@ private static IndicesPrivilegesWithOptionalRemoteClusters parseIndexWithOptiona
         String[] deniedFields = null;
         boolean allowRestrictedIndices = false;
         String[] remoteClusters = null;
+        List<String> selectors = null;
         while ((token = parser.nextToken()) != XContentParser.Token.END_OBJECT) {
             if (token == XContentParser.Token.FIELD_NAME) {
                 currentFieldName = parser.currentName();
@@ -1082,6 +1081,8 @@ private static IndicesPrivilegesWithOptionalRemoteClusters parseIndexWithOptiona
                         Fields.TRANSIENT_METADATA
                     );
                 }
+            } else if (Fields.SELECTORS.match(currentFieldName, parser.getDeprecationHandler())) {
+                selectors = Arrays.stream(readStringArray(roleName, parser, true)).toList();
             } else if (allowRemoteClusters && Fields.CLUSTERS.match(currentFieldName, parser.getDeprecationHandler())) {
                 remoteClusters = readStringArray(roleName, parser, false);
             } else {
@@ -1116,6 +1117,9 @@ private static IndicesPrivilegesWithOptionalRemoteClusters parseIndexWithOptiona
             );
         }
         checkIfExceptFieldsIsSubsetOfGrantedFields(roleName, grantedFields, deniedFields);
+        if (selectors == null) {
+            selectors = IndicesPrivileges.DEFAULT_SELECTORS;
+        }
         return new IndicesPrivilegesWithOptionalRemoteClusters(
             IndicesPrivileges.builder()
                 .indices(names)
@@ -1124,6 +1128,7 @@ private static IndicesPrivilegesWithOptionalRemoteClusters parseIndexWithOptiona
                 .deniedFields(deniedFields)
                 .query(query)
                 .allowRestrictedIndices(allowRestrictedIndices)
+                .selectors(selectors)
                 .build(),
             remoteClusters
         );
@@ -1337,6 +1342,7 @@ public RemoteIndicesPrivileges build() {
      */
     public static class IndicesPrivileges implements ToXContentObject, Writeable, Comparable<IndicesPrivileges> {
 
+        private static final List<String> DEFAULT_SELECTORS = List.of(IndexComponentSelector.DATA.getKey());
         private static final IndicesPrivileges[] NONE = new IndicesPrivileges[0];
 
         private String[] indices;
@@ -1348,6 +1354,7 @@ public static class IndicesPrivileges implements ToXContentObject, Writeable, Co
         // users. Setting this flag eliminates this special status, and any index name pattern in the permission will cover restricted
         // indices as well.
         private boolean allowRestrictedIndices = false;
+        private List<String> selectors;
 
         private IndicesPrivileges() {}
 
@@ -1358,6 +1365,11 @@ public IndicesPrivileges(StreamInput in) throws IOException {
             this.privileges = in.readStringArray();
             this.query = in.readOptionalBytesReference();
             this.allowRestrictedIndices = in.readBoolean();
+            if (in.getTransportVersion().onOrAfter(TransportVersions.ROLE_SELECTORS_FIELD)) {
+                this.selectors = in.readStringCollectionAsList();
+            } else {
+                this.selectors = DEFAULT_SELECTORS;
+            }
         }
 
         @Override
@@ -1368,6 +1380,9 @@ public void writeTo(StreamOutput out) throws IOException {
             out.writeStringArray(privileges);
             out.writeOptionalBytesReference(query);
             out.writeBoolean(allowRestrictedIndices);
+            if (out.getTransportVersion().onOrAfter(TransportVersions.ROLE_SELECTORS_FIELD)) {
+                out.writeStringCollection(selectors);
+            }
         }
 
         public static Builder builder() {
@@ -1378,11 +1393,12 @@ public String[] getIndices() {
             return this.indices;
         }
 
-        public static Set<String> filterFailureIndices(Set<String> indices) {
-            return indices.stream().filter(index -> {
-                // TODO improve check
-                return index != null && index.endsWith("::" + IndexComponentSelector.FAILURES.getKey());
-            }).collect(Collectors.toSet());
+        public boolean matchesSelector(IndexComponentSelector selector) {
+            return selectors.contains(selector.getKey());
+        }
+
+        public List<String> getSelectors() {
+            return this.selectors;
         }
 
         public String[] getPrivileges() {
@@ -1438,6 +1454,7 @@ public boolean hasGrantedFields() {
 
         @Override
         public String toString() {
+            // TODO selectors
             StringBuilder sb = new StringBuilder("IndicesPrivileges[");
             sb.append("indices=[").append(Strings.arrayToCommaDelimitedString(indices));
             sb.append("], allowRestrictedIndices=[").append(allowRestrictedIndices);
@@ -1482,6 +1499,8 @@ public boolean equals(Object o) {
             if (Arrays.equals(privileges, that.privileges) == false) return false;
             if (Arrays.equals(grantedFields, that.grantedFields) == false) return false;
             if (Arrays.equals(deniedFields, that.deniedFields) == false) return false;
+            // TODO
+            if (Objects.equals(selectors, that.selectors) == false) return false;
             return Objects.equals(query, that.query);
         }
 
@@ -1493,6 +1512,8 @@ public int hashCode() {
             result = 31 * result + Arrays.hashCode(grantedFields);
             result = 31 * result + Arrays.hashCode(deniedFields);
             result = 31 * result + (query != null ? query.hashCode() : 0);
+            // TODO NPE?
+            result = 31 * result + (selectors != null ? selectors.hashCode() : 0);
             return result;
         }
 
@@ -1521,6 +1542,10 @@ XContentBuilder innerToXContent(XContentBuilder builder, boolean withPrivileges)
             if (query != null) {
                 builder.field("query", query.utf8ToString());
             }
+            // Hide default selectors
+            if (selectors.equals(List.of("data")) == false) {
+                builder.stringListField("selectors", selectors);
+            }
             return builder.field(RoleDescriptor.Fields.ALLOW_RESTRICTED_INDICES.getPreferredName(), allowRestrictedIndices);
         }
 
@@ -1577,6 +1602,11 @@ public Builder privileges(String... privileges) {
                 return this;
             }
 
+            public Builder selectors(List<String> selectors) {
+                indicesPrivileges.selectors = selectors;
+                return this;
+            }
+
             public Builder privileges(Collection<String> privileges) {
                 return privileges(privileges.toArray(new String[privileges.size()]));
             }
@@ -1888,6 +1918,7 @@ public interface Fields {
         ParseField APPLICATIONS = new ParseField("applications");
         ParseField RUN_AS = new ParseField("run_as");
         ParseField NAMES = new ParseField("names");
+        ParseField SELECTORS = new ParseField("selectors");
         ParseField ALLOW_RESTRICTED_INDICES = new ParseField("allow_restricted_indices");
         ParseField RESOURCES = new ParseField("resources");
         ParseField QUERY = new ParseField("query");

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/Role.java

@@ -305,18 +305,17 @@ public Builder add(
             IndexComponentSelector selector,
             String... indices
         ) {
-            // TODO assert no failures suffixes left
             groups.add(new IndicesPermissionGroupDefinition(privilege, fieldPermissions, query, allowRestrictedIndices, selector, indices));
             return this;
         }
 
-        // TODO allowFailureStoreAccess
         public Builder addRemoteIndicesGroup(
             final Set<String> remoteClusterAliases,
             final FieldPermissions fieldPermissions,
             final Set<BytesReference> query,
             final IndexPrivilege privilege,
             final boolean allowRestrictedIndices,
+            IndexComponentSelector indexComponentSelector,
             final String... indices
         ) {
             remoteIndicesGroups.computeIfAbsent(remoteClusterAliases, k -> new ArrayList<>())
@@ -326,7 +325,7 @@ public Builder addRemoteIndicesGroup(
                         fieldPermissions,
                         query,
                         allowRestrictedIndices,
-                        IndexComponentSelector.DATA,
+                        indexComponentSelector,
                         indices
                     )
                 );
@@ -472,28 +471,41 @@ static SimpleRole buildFromRoleDescriptor(
                     indexPrivilege.getQuery() == null ? null : Collections.singleton(indexPrivilege.getQuery()),
                     IndexPrivilege.get(Sets.newHashSet(indexPrivilege.getPrivileges())),
                     indexPrivilege.allowRestrictedIndices(),
-                    IndexComponentSelector.ALL_APPLICABLE,
-                    indexPrivilege.getIndices()
-                );
-            } else {
-                builder.add(
-                    fieldPermissionsCache.getFieldPermissions(
-                        new FieldPermissionsDefinition(indexPrivilege.getGrantedFields(), indexPrivilege.getDeniedFields())
-                    ),
-                    indexPrivilege.getQuery() == null ? null : Collections.singleton(indexPrivilege.getQuery()),
-                    IndexPrivilege.get(Sets.newHashSet(indexPrivilege.getPrivileges())),
-                    indexPrivilege.allowRestrictedIndices(),
-                    IndexComponentSelector.DATA,
+                    IndexComponentSelector.FAILURES,
                     indexPrivilege.getIndices()
                 );
             }
+            builder.add(
+                fieldPermissionsCache.getFieldPermissions(
+                    new FieldPermissionsDefinition(indexPrivilege.getGrantedFields(), indexPrivilege.getDeniedFields())
+                ),
+                indexPrivilege.getQuery() == null ? null : Collections.singleton(indexPrivilege.getQuery()),
+                IndexPrivilege.get(Sets.newHashSet(indexPrivilege.getPrivileges())),
+                indexPrivilege.allowRestrictedIndices(),
+                IndexComponentSelector.DATA,
+                indexPrivilege.getIndices()
+            );
         }
 
         for (RoleDescriptor.RemoteIndicesPrivileges remoteIndicesPrivileges : roleDescriptor.getRemoteIndicesPrivileges()) {
             final String[] clusterAliases = remoteIndicesPrivileges.remoteClusters();
             assert Arrays.equals(new String[] { "*" }, clusterAliases)
                 : "reserved role should not define remote indices privileges for specific clusters";
             final RoleDescriptor.IndicesPrivileges indicesPrivileges = remoteIndicesPrivileges.indicesPrivileges();
+            // TODO properly handle this
+            if (Arrays.asList(indicesPrivileges.getIndices()).contains("*")) {
+                builder.addRemoteIndicesGroup(
+                    Set.of(clusterAliases),
+                    fieldPermissionsCache.getFieldPermissions(
+                        new FieldPermissionsDefinition(indicesPrivileges.getGrantedFields(), indicesPrivileges.getDeniedFields())
+                    ),
+                    indicesPrivileges.getQuery() == null ? null : Collections.singleton(indicesPrivileges.getQuery()),
+                    IndexPrivilege.get(Set.of(indicesPrivileges.getPrivileges())),
+                    indicesPrivileges.allowRestrictedIndices(),
+                    IndexComponentSelector.FAILURES,
+                    indicesPrivileges.getIndices()
+                );
+            }
             builder.addRemoteIndicesGroup(
                 Set.of(clusterAliases),
                 fieldPermissionsCache.getFieldPermissions(
@@ -502,6 +514,7 @@ static SimpleRole buildFromRoleDescriptor(
                 indicesPrivileges.getQuery() == null ? null : Collections.singleton(indicesPrivileges.getQuery()),
                 IndexPrivilege.get(Set.of(indicesPrivileges.getPrivileges())),
                 indicesPrivileges.allowRestrictedIndices(),
+                IndexComponentSelector.DATA,
                 indicesPrivileges.getIndices()
             );
         }

x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/permission/LimitedRoleTests.java

@@ -102,6 +102,7 @@ public void testGetRoleDescriptorsIntersectionForRemoteCluster() {
                 baseQuery,
                 basePrivilege,
                 baseAllowRestrictedIndices,
+                IndexComponentSelector.DATA,
                 baseIndices
             )
             // This privilege should be ignored (wrong alias)
@@ -111,6 +112,7 @@ public void testGetRoleDescriptorsIntersectionForRemoteCluster() {
                 randomDlsQuery(),
                 randomIndexPrivilege(),
                 randomBoolean(),
+                IndexComponentSelector.DATA,
                 randomAlphaOfLengthBetween(4, 6)
             )
             .addRemoteClusterPermissions(
@@ -147,6 +149,7 @@ public void testGetRoleDescriptorsIntersectionForRemoteCluster() {
                 limitedQuery,
                 limitedPrivilege,
                 limitedAllowRestrictedIndices,
+                IndexComponentSelector.DATA,
                 limitedIndices
             )
             // This privilege should be ignored (wrong alias)
@@ -156,6 +159,7 @@ public void testGetRoleDescriptorsIntersectionForRemoteCluster() {
                 randomDlsQuery(),
                 randomIndexPrivilege(),
                 randomBoolean(),
+                IndexComponentSelector.DATA,
                 randomAlphaOfLength(9)
             )
             .addRemoteClusterPermissions(
@@ -267,6 +271,7 @@ public void testGetRoleDescriptorsIntersectionForRemoteClusterReturnsEmpty() {
                         randomDlsQuery(),
                         randomIndexPrivilege(),
                         randomBoolean(),
+                        IndexComponentSelector.DATA,
                         randomAlphaOfLength(3)
                     );
                     baseRole.addRemoteClusterPermissions(remoteCluster);
@@ -278,6 +283,7 @@ public void testGetRoleDescriptorsIntersectionForRemoteClusterReturnsEmpty() {
                         randomDlsQuery(),
                         randomIndexPrivilege(),
                         randomBoolean(),
+                        IndexComponentSelector.DATA,
                         randomAlphaOfLength(4)
                     );
                     limitedByRole1.addRemoteClusterPermissions(remoteCluster);
@@ -289,6 +295,7 @@ public void testGetRoleDescriptorsIntersectionForRemoteClusterReturnsEmpty() {
                         randomDlsQuery(),
                         randomIndexPrivilege(),
                         randomBoolean(),
+                        IndexComponentSelector.DATA,
                         randomAlphaOfLength(5)
                     );
                     limitedByRole2.addRemoteClusterPermissions(remoteCluster);
@@ -307,6 +314,7 @@ public void testGetRoleDescriptorsIntersectionForRemoteClusterReturnsEmpty() {
                 randomDlsQuery(),
                 randomIndexPrivilege(),
                 randomBoolean(),
+                IndexComponentSelector.DATA,
                 randomAlphaOfLength(5)
             );
             limitedByRole1.addRemoteIndicesGroup(
@@ -315,6 +323,7 @@ public void testGetRoleDescriptorsIntersectionForRemoteClusterReturnsEmpty() {
                 randomDlsQuery(),
                 randomIndexPrivilege(),
                 randomBoolean(),
+                IndexComponentSelector.DATA,
                 randomAlphaOfLength(4)
             );
             limitedByRole2.addRemoteIndicesGroup(
@@ -323,6 +332,7 @@ public void testGetRoleDescriptorsIntersectionForRemoteClusterReturnsEmpty() {
                 randomDlsQuery(),
                 randomIndexPrivilege(),
                 randomBoolean(),
+                IndexComponentSelector.DATA,
                 randomAlphaOfLength(3)
             );
         }

x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/permission/SimpleRoleTests.java

@@ -8,6 +8,7 @@
 package org.elasticsearch.xpack.core.security.authz.permission;
 
 import org.elasticsearch.TransportVersion;
+import org.elasticsearch.action.support.IndexComponentSelector;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.test.ESTestCase;
 import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine;
@@ -157,17 +158,27 @@ public void testGetRoleDescriptorsIntersectionForRemoteCluster() {
                 null,
                 IndexPrivilege.READ,
                 true,
+                IndexComponentSelector.DATA,
                 "remote-index-a-1",
                 "remote-index-a-2"
             )
-            .addRemoteIndicesGroup(Set.of("remote-*-a"), FieldPermissions.DEFAULT, null, IndexPrivilege.READ, false, "remote-index-a-3")
+            .addRemoteIndicesGroup(
+                Set.of("remote-*-a"),
+                FieldPermissions.DEFAULT,
+                null,
+                IndexPrivilege.READ,
+                false,
+                IndexComponentSelector.DATA,
+                "remote-index-a-3"
+            )
             // This privilege should be ignored (wrong alias)
             .addRemoteIndicesGroup(
                 Set.of("remote-cluster-b"),
                 FieldPermissions.DEFAULT,
                 null,
                 IndexPrivilege.READ,
                 false,
+                IndexComponentSelector.DATA,
                 "remote-index-b-1",
                 "remote-index-b-2"
             )
@@ -178,6 +189,7 @@ public void testGetRoleDescriptorsIntersectionForRemoteCluster() {
                 null,
                 IndexPrivilege.get(Set.of(randomFrom(IndexPrivilege.names()))),
                 randomBoolean(),
+                IndexComponentSelector.DATA,
                 randomAlphaOfLength(9)
             )
             .addRemoteClusterPermissions(

x-pack/plugin/security/qa/security-trial/src/javaRestTest/java/org/elasticsearch/xpack/security/FailureStoreSecurityRestIT.java

@@ -47,13 +47,13 @@ public void testFailureStoreAccess() throws IOException {
             {
               "description": "Role with data access",
               "cluster": ["all"],
-              "indices": [{"names": ["test*"], "privileges": ["read"]}]
+              "indices": [{"names": ["test*"], "privileges": ["read"], "selectors": ["data"]}]
             }"""), dataAccessRole);
         upsertRole(Strings.format("""
             {
               "description": "Role with failure store access",
               "cluster": ["all"],
-              "indices": [{"names": ["test*::failures"], "privileges": ["read"]}]
+              "indices": [{"names": ["test*"], "privileges": ["read"], "selectors": ["failures"]}]
             }"""), failureStoreAccessRole);
 
         createTemplates();